Intel Management Engine

Intel Management Engine

So this blog is a good example of why obscurity is not good security, you’ll see my point at the end — but please read on.I was recently reading about the MINIX Operating System. It is a Unix-like operating system that you’ve probably never heard of, but, if you’re running an Intel CPU, you may already be running it. MINIX is a fully functional operating system with a tiny footprint that does useful things like providing http services, file services, and anything else that a Unix-like box might do.

Any Intel chip made in the last eight years uses this operating system in a ‘side chip’ on the CPU to host Intel’s Management Engine (IME) suite. It runs at Ring -3 (yes, negative three) and is extremely hard to get at from the inside. To put that in perspective, a bare-metal hypervisor Like XenServer runs at Ring -1, where your regular operating system is at Ring 0 and your end user programs typically run at Ring 3.

The problem with this all is that several security flaws have been discovered that could potentially allow an attacker full access to any system with an Intel chip made within the last eight years by exploiting IME and MINIX. Since the MINIX OS is running at Ring -3, it has access to all memory and hardware on the system. So, if an attacker can successfully exploit either IME or MINIX, they can access any of a system’s memory however they see fit (reading, writing and/or executing). All without raising any indication to the higher rings that something is up. If you’re not sure if this is good or bad, just know that it is as bad for an end user as it can get.

There is very little documentation about this chip and the inner workings of IME outside of Intel which only exacerbated the issue. There was no known security issue with it since its launch, despite warnings from the information security community, so it was allowed to be installed into millions (possibly billions?) of units. Now that it has been successfully exploited, Intel and the end user are now dealing with a much bigger problem.

There are only two fixes to this vulnerability at this time. The first is a BIOS update, but this will only fix processors that are currently supported. My guess is this will leave several million out of OEM support computers in the dust and exploitable for quite some time. The other option is to switch over to an AMD chip which doesn’t use the IME technology, but that costs a lot of money. I have read a few articles that claim there are methods to disable IME, which would fix this as well, but they’re still in the experimental phase.

So, let’s learn a lesson from Intel and remember the number one security rule; Security through Obscurity is not security at all!

Also, if you’re worried your system may be affected by this vulnerability, Intel has been addressing it with firmware updates that target specific chipsets. See the links below.